b"Analysis of Survey Results\non the Smithsonian\xe2\x80\x99s Annual\nFinancial Statement\nAssurance Letter Process\n\n\n\n\nOffice of the Inspector General\nReport Number A-13-08\nJanuary 31, 2014\n\x0c         Smithsonian Institution\n         Office of the Inspector General\n                                Analysis of Survey Results on the Smithsonian\xe2\x80\x99s\n\nIn Brief                        Annual Financial Statement Assurance Letter\n                                Process\n                                Report Number A-13-08, January 31, 2014\n\n\nWhy We Did This Audit            What We Found\n\nOur audit objectives were        In responses to our survey questions, unit directors stated that\nto evaluate (a) the process      they generally understand what they are attesting to, and they\nthat unit directors use to       have an effective process to support their attestations.\nattest to the effectiveness\nof their units\xe2\x80\x99 financial        Over half of the respondents did not receive formal training\nreporting controls and           regarding their responsibilities as outlined in SD 310. However,\nfinancial information            those that did attend training indicated that it was effective or very\nreliability; (b) the training    effective. In addition, while the unit directors believed that the\nand guidance that the            Office of the Comptroller generally provided them with effective\nOffice of the Comptroller        guidance, some of them would like more direction on internal\nprovides to unit directors       control standards.\nregarding financial\nreporting controls; and          Unit directors did not identify any material weaknesses,\n(c) Smithsonian                  deficiencies, or areas of concern during the fiscal year 2012\nmanagement\xe2\x80\x99s response to         attestation letter process.\ndeficiencies or areas of\nconcern identified by the        The survey results did not indicate any major problems with the\nunit directors during the        fiscal year 2012 assurance letter process; however, the\nattestation letter process.      respondents did offer several areas where Smithsonian\n                                 management could improve the process and offer additional\nBackground                       training.\n\nAll Smithsonian unit             What We Recommended\ndirectors must attest\nannually that their units\xe2\x80\x99       To improve the annual assurance letter process, we recommended\nfinancial reporting controls     that the Chief Financial Officer evaluate the unit directors\xe2\x80\x99\nare operating effectively        comments to the survey and provide an action plan that addresses\nand that financial               the survey\xe2\x80\x99s results.\ninformation does not\ncontain material                 Management concurred with our recommendation and plans to\nmisstatements or                 offer one annual classroom style training class as well as on-line\nomissions. In June 2011,         training. Further, management will continue to offer individual\nSmithsonian management           sessions to directors by request.\ncreated Smithsonian\nDirective 310, Financial\nReporting and Risk\nManagement Internal\nControls. This directive\noutlines the guidance to\nunit directors regarding\ntheir responsibility during      For additional information or a copy of the full report, contact the\nthe annual attestation           Office of the Inspector General at (202) 633-7050 or visit\nletter process.                  http://www.si.edu/oig.\n\x0c\x0cSMITHSONIAN INSTITUTION                              OFFICE OF THE INSPECTOR GENERAL\n\n\n\n                            INTRODUCTION\n\nAll Smithsonian unit directors must attest annually that their units\xe2\x80\x99 financial\nreporting controls are operating effectively and that financial information does not\ncontain material misstatements or omissions. Smithsonian management requires\nthat unit directors conduct this attestation because they are in positions that are\ncritical for safeguarding Smithsonian assets and resources.\n\nOur audit objectives were to evaluate (a) the process that unit directors use to\nattest to the effectiveness of their units\xe2\x80\x99 financial reporting controls and financial\ninformation reliability; (b) the training and guidance that the Office of the\nComptroller (OC) provides to unit directors regarding financial reporting controls;\nand (c) Smithsonian management\xe2\x80\x99s response to deficiencies or areas of concern\nidentified by the unit directors during the attestation letter process.\n\nTo meet these objectives, we conducted a survey of all unit directors who must\nattest to the effectiveness of their units\xe2\x80\x99 financial reporting controls and the\nreliability of their units\xe2\x80\x99 financial information. We provided a redacted copy of the\nresponses to the survey to the Under Secretary for Finance and\nAdministration/Chief Financial Officer (CFO). See Appendix A for our transmittal\nmemo of the survey responses to the CFO. A detailed description of our objectives,\nscope, and methodology is included in Appendix B. The summary of the results of\nour survey are included in Appendix C, and management\xe2\x80\x99s response to the audit\nreport is in Appendix D.\n\nAfter we started our audit, in June 2013, OC and the Office of the Treasurer were\ncombined to form the Office of Finance and Accounting. Our review focused on the\nattestation letter process for fiscal year 2012\xe2\x80\x94the period prior to this\nreorganization.\n\n                             BACKGROUND\n\nIn June 2011, Smithsonian management created Smithsonian Directive (SD) 310,\nFinancial Reporting and Risk Management Internal Controls, based on the principles\noutlined in the Committee of Sponsoring Organizations of the Treadway\nCommission evaluation methodology, the Office of Management and Budget\nCircular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, and the Sarbanes\nOxley Act of 2002. This directive outlines the guidance to unit directors regarding\ntheir responsibility during the annual attestation letter process. To follow up on the\ndirective, in September 2011, Smithsonian management offered formal training to\nassist unit directors in understanding their responsibilities for financial reporting\nand internal controls.\n\nSD 310, Financial Reporting and Risk Management Internal Controls\n\nSD 310 requires unit directors to implement and execute all internal controls as\nthey pertain to unit operations. In addition, SD 310 outlines the unit directors\xe2\x80\x99\nresponsibility to provide assurance that their units\xe2\x80\x99 financial reporting controls are\n\n                                           1\n\x0cSMITHSONIAN INSTITUTION                              OFFICE OF THE INSPECTOR GENERAL\n\n\n\noperating effectively and that financial information does not contain material\nmisstatements or omissions.\n\nSD 310 Definitions\n\nAssurance Statement \xe2\x80\x94 A written statement by each unit director that is submitted\nto the Office of the Chief Financial Officer at the close of each fiscal year as\nassurance that a unit\xe2\x80\x99s internal controls are operating effectively and that the unit\xe2\x80\x99s\nfinancial information fairly represents the unit\xe2\x80\x99s financial condition.\n\nAttestation \xe2\x80\x94 The term \xe2\x80\x9cattestation\xe2\x80\x9d is used interchangeably with the term\n\xe2\x80\x9cassurance.\xe2\x80\x9d\n\nCritical Controls \xe2\x80\x94 Those controls, which by their absence or weakness, could have\na material impact on the Smithsonian\xe2\x80\x99s presentation of financial information to both\ninternal and external stakeholders.\n\nMaterial Weakness \xe2\x80\x94 A deficiency or a combination of deficiencies in internal\ncontrols, such that there is a reasonable possibility that a material misstatement of\nthe entity\xe2\x80\x99s financial statements will not be prevented, or detected and corrected,\non a timely basis.\n\nProcess Custodians \xe2\x80\x94 Unit directors who are responsible for implementing and\nexecuting all internal controls as they pertain to unit operations. Unit operations are\nnot always financial in nature, but nevertheless contribute to providing reasonable\nassurance that financial reports are reliable and accurate.\n\n                                RESULTS OF AUDIT\n\nBased on our interviews with management, as well as our review of the survey\nresults, training records, and the fiscal year 2012 attestation letters:\n\n1. Unit directors stated that they generally understand what they are attesting to,\n   and they have an effective process to support their attestations.\n\n2. Over half of the respondents did not receive formal training regarding their\n   responsibilities as outlined in SD 310. However, those that did attend relevant\n   training indicated that it was effective or very effective. In addition, while the\n   unit directors believed that OC generally provided them with effective guidance,\n   some of them would like more direction on internal control standards.\n\n3. No unit directors identified any material weaknesses, deficiencies, or areas of\n   concern during the fiscal year 2012 attestation letter process.\n\nWe issued a survey to all the directors that provided fiscal year 2012 attestations.\nOf the 52 we surveyed, 36 responded; 5 of the 16 individuals who did not respond\nwere no longer in a position that required them to provide an annual attestation\nletter because they had left the Smithsonian or were no longer in a director\xe2\x80\x99s role.\n\n                                           2\n\x0cSMITHSONIAN INSTITUTION                                        OFFICE OF THE INSPECTOR GENERAL\n\n\n\nDirectors Stated That They Generally Understand What They Are Attesting to and\nThey Have an Effective Process to Support Their Attestations\n\nAccording to the unit directors, they generally understand what they are attesting\nto in the fiscal year-end attestation letter. As illustrated in the figure below, 86\npercent of the respondents stated that they understand what they are attesting to,\nand 14 percent of respondents stated that they understand most or some of what\nthey were attesting to in the attestation letter. Furthermore, none of the\nrespondents stated that they do not understand most or all of what they are\nattesting to in the letter.\n\n               How Would You Describe Your Level of Understanding of\n                           What You Are Attesting to?\n\n 100%\n  90%         86%\n  80%\n  70%\n  60%\n  50%\n  40%\n  30%\n  20%\n                                8%                6%\n  10%\n                                                                   0%                0%\n   0%\n        I understand what I understand most I understand some      I do not       I do not\n          I am attesting to  of what I am      of what I am   understand most understand what I\n                              attesting to      attesting to    of what I am   am attesting to\n                                                                attesting to\n\n\nWe determined that unit directors generally have an effective process to support\ntheir attestations. We asked unit directors to describe the process they go through\nto support their attestation. Based on our evaluation of the 36 responses to this\nquestion, we concluded that the directors were conducting reasonable internal\ncontrol and monitoring activities to support their attestations. Although the\nresponses varied, the following two were representative of the respondents\xe2\x80\x99\nanswers and contained characteristics that are part of a sound process:\n\n        \xe2\x80\x9cI meet weekly with my director of finance and as part of that meeting\n        review any/all business operations for compliance. Additionally I meet every\n        2 weeks with my senior managers and discuss any changes to business\n        operations including new or updated SD\xe2\x80\x99s to provide guidance for our work.\xe2\x80\x9d\n\n        \xe2\x80\x9cI have a meeting with each of my direct reports and discuss the control\n        procedures used in their respective areas and their effectiveness. In some\n        cases, I also ask them to provide written assurance for their respective areas\n        of responsibility.\xe2\x80\x9d\n                                                   3\n\x0cSMITHSONIAN INSTITUTION                              OFFICE OF THE INSPECTOR GENERAL\n\n\n\nAlthough Over Half of the Respondents Did Not Have Training, the Directors Stated\nthat OC Generally Provided Them with Effective Guidance\n\nAccording to our survey, 61 percent of the respondents replied they did not receive\ntraining. However, for those who indicated they did have training, 86 percent\ndescribed the training as \xe2\x80\x9cVery Effective\xe2\x80\x9d or \xe2\x80\x9cEffective.\xe2\x80\x9d\n\nThe respondents had the option to leave comments and some of them thought\nadditional training or guidance would be helpful. Two respondents commented as\nfollows:\n\n      \xe2\x80\x9cEffective at the time but regular, easily accessible refresher training is\n      essential.\xe2\x80\x9d\n\n      \xe2\x80\x9cWe are provided no [guidance] in establishing controls. Each unit is\n      expected to implement their own controls. Instead of us spending time\n      creating a process, why can't the SI provide us with a process and teach this\n      to the financial teams in the units?\xe2\x80\x9d\n\nOC offered formal training in September 2011 and October 2012, after Smithsonian\nmanagement issued SD 310. The directive required unit directors to attest to the\neffectiveness of their units\xe2\x80\x99 financial internal controls and the reliability of their\nunits\xe2\x80\x99 financial information. By not offering more periodic training, directors may be\nunable to effectively attest. For example, they may not have a sufficient control\nstructure in place to support their attestations.\n\n\n\n\n                                          4\n\x0cSMITHSONIAN INSTITUTION                                   OFFICE OF THE INSPECTOR GENERAL\n\n\n\nNotwithstanding this lack of training among respondents, the survey results\nindicated that OC generally provided effective guidance regarding the respondents\xe2\x80\x99\nresponsibilities as process custodians and attestation signatories. As illustrated in\nthe figure below, 72 percent of the respondents replied that OC\xe2\x80\x99s guidance was\nvery effective or effective.\n\n                           How Would You Describe OC's Guidance?\n\n 70%\n                                     61%\n 60%\n\n 50%\n\n 40%\n\n 30%\n                                                       20%\n 20%\n              11%\n                                                                          8%\n 10%\n\n  0%\n          Very Effective           Effective   Somewhate Ineffective   Ineffective\n\n\nIn addition, the respondents had the option to add comments regarding OC\xe2\x80\x99s\nguidance. The following quote is an example of the respondents\xe2\x80\x99 comments:\n\n       \xe2\x80\x9cIf I had a question about [the] process, [the comptroller] was very\n       responsive.\xe2\x80\x9d\n\nNo Material Weaknesses, Deficiencies, or Areas of Concern Were Identified During\nthe 2012 Attestation Letter Process\n\nBased on our review of fiscal year 2012 attestation letters, no unit director\nidentified material weaknesses. Likewise, according to management, unit directors\nreported no material weaknesses in fiscal year 2013.\n\nBased on the results of our survey, unit directors generally appear to have\nprocesses that identify and resolve control deficiencies, including material\nweaknesses. However, some unit directors would like more guidance, as illustrated\nby the following comment by a respondent:\n\n       \xe2\x80\x9cThere should be one document that says, if we audit you, this is exactly\n       what we are going to be looking for and this is the process that you should\n       be following (daily, weekly, monthly?) to ensure that you are compliant.\xe2\x80\x9d\n\n                                               5\n\x0cSMITHSONIAN INSTITUTION                             OFFICE OF THE INSPECTOR GENERAL\n\n\n\nConclusion\n\nThe survey results did not indicate any major problems with the fiscal year 2012\nassurance letter process; however, as described in their open-ended comments, the\nrespondents did offer several areas where Smithsonian management could improve\nthe process and offer additional training.\n\nRecommendation\n\nTo improve the annual assurance letter process, we recommend that the CFO\nevaluate the unit directors\xe2\x80\x99 comments to the survey and provide an action plan that\naddresses the survey\xe2\x80\x99s results.\n\nManagement concurred with our recommendation and plans to offer one annual\nclassroom style training class as well as on-line training. Further, management will\ncontinue to offer individual sessions to directors by request. The full text of their\nresponse appears in Appendix D.\n\n\n\n\n                                          6\n\x0cSMITHSONIAN INSTITUTION         OFFICE OF THE INSPECTOR GENERAL\n\n\n                                                   Appendix A\n\n\n\n\n                          A-1\n\x0cSMITHSONIAN INSTITUTION                              OFFICE OF THE INSPECTOR GENERAL\n\n\n                                                                          APPENDIX B\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of this audit were to evaluate (a) the process that unit directors use\nto attest to the effectiveness of their units\xe2\x80\x99 financial reporting controls and financial\ninformation reliability; (b) the training and guidance that the Office of the\nComptroller provides to unit directors regarding financial reporting controls; and (c)\nSmithsonian management\xe2\x80\x99s response to deficiencies or areas of concern identified\nby the unit directors during the assurance letter process.\n\nTo accomplish our objectives, we developed a seven-question survey that we sent\nto all 52 of the fiscal year 2012 attestation letter signatories. The survey consisted\nof multiple-choice, dichotomous, and open-ended questions. The majority of the\nevidence we used to support our findings and conclusions came from the survey.\nWe did not review the underlying documentation that directors stated they used to\nsupport that processes and controls were in place to enable them to attest to their\nunits\xe2\x80\x99 financial reporting effectiveness. Refer to Appendix C for the statistical results\nof the survey.\n\nIn addition, we reviewed Smithsonian Directive 310, Financial Reporting and Risk\nManagement Internal Controls. We also reviewed the fiscal year 2012 attestation\nletters signed by the unit directors. We did not assess the reliability of computer\nprocessed data because no information technology systems were relevant to the\nobjectives of our audit.\n\nWe met with management and staff from the Office of the Chief Financial Officer,\nthe Office of the Comptroller, and representatives of certain unit directors. In\naddition, we answered various questions from survey respondents through\ntelephone and email.\n\nWe conducted this performance audit in Washington, DC from June 2013 to\nNovember 2013 in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence we\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n\n\n\n                                          B-1\n\x0cSMITHSONIAN INSTITUTION                         OFFICE OF THE INSPECTOR GENERAL\n\n\n                                                                   APPENDIX C\n\nSUMMARY OF THE SURVEY RESULTS\n\n                              Survey Response Rate\n\n                                       Total          Percentage\n           Responded                    36               69%\n           Not Responded                16               31%\n            Total Surveys Sent          52              100%\n\n\n      Not Responded                 Number                 Percentage to\n                                                            Population\nNo Longer at Smithsonian               5                       10%\nor Not in the Director Role\nNot Responded                         11                        21%\n           Total                      16                        31%\n\n                                Survey Questions\n\n1. As a unit director, you are responsible for signing a September 30th\n   fiscal year end annual assurance letter. How would you describe your\n   level of understanding of what you are attesting to?\n\n                                      Number                Percentage\nI understand what I am                  31                     86%\nattesting to.\nI understand most of what I                3                     8%\nam attesting to.\nI understand some of what I                2                     6%\nam attesting to.\nI do not understand most of                0                     0%\nwhat I am attesting to.\nI do not understand what I am              0                     0%\nattesting to.\n              Total                        36                  100%\n\n\n2. Have you had training that addressed your responsibility for\n   establishing and maintaining adequate internal controls over financial\n   reporting as described in the assurance letter?\n\n                                    Number                  Percentage\nYes                                   14                       39%\nNo                                    22                       61%\n          Total                       36                      100%\n\n                                      C-1\n\x0cSMITHSONIAN INSTITUTION                          OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\n3. If yes, how would describe the training\xe2\x80\x99s effectiveness?\n\n                                        Number               Percentage\nVery effective                             6                    43%\nEffective                                  6                    43%\nSomewhat ineffective                       2                    14%\nIneffective                                0                     0%\n            Total                         14                   100%\n\n4. How would you describe the Office of the Comptroller\xe2\x80\x99s guidance on\n   your responsibility as a Process Custodian, as defined in SD310, and\n   attestation signatory?\n\n                                        Number               Percentage\nVery effective                             4                    11%\nEffective                                 22                    61%\nSomewhat ineffective                       7                    20%\nIneffective                                3                     8%\n            Total                         36                   100%\n\n5. Indicate what critical internal control documentation you use to support\n   your attestation.*\n\n          Documentation Type                              Total\nRisk Assessment                                            20\nCritical Control Assessment                                19\nFlow Charts or Narrative Descriptions                      11\nUnit Level Policies and Procedures                         30\n\n\n*Some unit directors chose more than one type of documentation.\n\n\n\n\n                                         C-2\n\x0cAppendix D - Management's Response\n\x0cAppendix D - Management's Response\n\x0cSMITHSONIAN INSTITUTION                   OFFICE OF THE INSPECTOR GENERAL\n\n\n                                                           APPENDIX E\n\nMAJOR CONTRIBUTORS TO THIS REPORT\n\nBruce Gallus, Supervisory Auditor\nJoseph Benham, Auditor-in-Charge\nElsy Woodill, Auditor\n\n\n\n\n                                    E-1\n\x0c"